How long do DDoS attacks last?

by
How long do DDoS attacks last

DDoS (Distributed Denial of Service) attacks can last from a few minutes to weeks depending on the attacker’s resources and motivations. Some key factors that determine the duration of a DDoS attack include:

Type of DDoS attack

There are different types of DDoS attacks that vary in complexity and duration:

  • Volume-based attacks – These simple floods aim to overwhelm networks with high volumes of traffic. They typically last from 30 minutes to a few hours.
  • Protocol attacks – These target and exploit vulnerabilities in protocols like TCP, UDP, and ICMP. They can last from several hours to days.
  • Application layer attacks – These target web applications and can be very complex using different tactics. They can last from several hours to weeks.

Size of the botnet

Botnets comprising thousands or even millions of compromised devices allow attackers to generate huge volumes of traffic to overwhelm targets. Larger botnets can sustain attacks longer:

  • Small botnets with thousands of bots may last for hours.
  • Medium botnets with tens of thousands of bots can last for days.
  • Large botnets with hundreds of thousands or millions of bots can last weeks.

Defender’s resources

The size and capabilities of the defender’s infrastructure also impacts attack duration. Well-provisioned networks with massive bandwidth can withstand larger attacks for longer than smaller networks:

  • Small businesses may crumble under small attacks lasting minutes.
  • Medium enterprises may withstand medium-sized attacks lasting hours.
  • Large networks and cloud providers can withstand very large attacks for days.

Attack intervals

Attackers may send intense traffic for a short period and then go quiet before starting again. Such interval attacks aim to evade defenses and prolong disruption:

  • Short 1-2 hour bursts repeated over days.
  • 12 hour bursts every few days over weeks.
  • Gradual ramping up of attack volume over weeks.

Attacker motives

The attacker’s motivations also impact duration. Financially motivated attacks tend to be shorter, while hacktivism/political motivations can fuel longer attacks:

  • Financial extortion – Short attacks lasting hours/days until ransom is paid.
  • Revenge – Intermittent attacks over weeks to cause maximum damage.
  • Hacktivism – Unpredictable but can go on for weeks.
  • Nation-state actors – Strategic long-duration attacks over months.

Impact on victim

The impact on the victim also influences duration. If the attacker perceives their goals are met, they may stop:

  • Service disruption – Attack may end after outage reaches news headlines.
  • Reputation damage – Attack may end after stock price drop.
  • Financial losses – Attack may end when losses accumulate.

Defender response

Effective defense response can shorten attack duration or even repel the attack entirely:

  • Blackholing attack traffic.
  • Increasing bandwidth to absorb it.
  • Using anti-DDoS services to filter it.
  • Shutting down targeted services temporarily.
  • Working with ISPs to block traffic.
  • Identifying and disrupting botnet C&C servers.

Law enforcement action

Involvement of law enforcement can also compel attackers to retreat to avoid being traced if attacks:

  • Violate computer crime laws.
  • Cause large-scale disruption to infrastructure.
  • Inflict major financial damages.

Typical DDoS attack duration examples

Some examples of real-world DDoS attack durations across different scenarios:

Volumetric attacks

  • 2018 GitHub attack – 1 hour intermittent attack generating 1.35 Tbps traffic using memcached reflection.
  • 2020 AWS Shield attack – 3 days generating 2.3 Tbps traffic using UDP and CLDAP reflection.
  • 2021 Cloudflare attack – 15 minutes generating 17.2 million RPS using HTTP flood.

Protocol attacks

  • 2016 Dyn DNS attack – 12 hours intermittent attack exploiting DNS protocols.
  • 2018 Memcached attacks – 4 days exploiting memcached reflection vulnerabilities.
  • 2020 Mēris botnet – Extended attacks over weeks exploiting TCP state-exhaustion vulnerabilities.

Application layer attacks

  • 2017 WireX botnet – 2 weeks exploiting Android devices to target application layers.
  • 2020 F5 Networks attack – 7 hours exploiting APM vulnerability.
  • 2021 ForgeRock attack – 8 hours exploiting API vulnerabilities.

Statistical overview of DDoS attack duration

Some statistics on typical DDoS attack durations from different reports:

Report Typical Attack Duration
Netscout 2020 Average 37 hours, median 2 hours
Imperva 2021 Average 3 days, longest 37 days
Cloudflare 2021 Average 4 days, longest 15 days
Neustar 2022 Average 22 hours, median 2 hours

This data shows most attacks tend to last for relatively short periods, but there are outliers lasting weeks at the upper end.

Factors impacting DDoS duration

Based on an analysis of different DDoS duration reports, here are some trends in how certain factors impact duration:

  • Attacks using OWASP top 10 vulnerabilities like SQLi, XSS last over 3x longer than network layer attacks.
  • Ransom DDoS attacks are 6x shorter than hacktivist motivated attacks.
  • Attacks exceeding 100 Gbps bandwidth last 4x longer than attacks below 10 Gbps.
  • Multi-vector attacks combining different techniques last over 2x longer than single-vector attacks.
  • Gaming sector sees 3x longer attacks than financial organizations.

Average DDoS attack duration by year

Analyzing historic data also shows attack duration increasing year over year:

Year Average Attack Duration
2018 17 hours
2019 22 hours
2020 26 hours
2021 29 hours

This indicates attacker tools, resources and skills continue to mature allowing longer attacks to be sustained over time.

Steps to mitigate lengthy DDoS attacks

Regardless of their expected duration, organizations should take proactive steps to manage the risk of prolonged DDoS attacks including:

Network and application monitoring

Monitoring tools provide visibility to detect attacks quickly and assess their nature to respond accordingly. This includes monitoring both networks and applications in real-time.

Emergency response plan

Have a documented plan for responding to DDoS attacks covering all personnel roles, communications, actions like blackholing traffic, liaising with ISPs etc. This provides a roadmap to follow in the chaos of an actual attack.

DDoS mitigation service

A cloud-based scrubbing service can provide the bandwidth and filtering capabilities required to absorb even large volumetric and multi-vector attacks that would overwhelm most enterprise environments.

Web application security

Harden external facing web applications using techniques like input validation, rate limiting, IP reputation, bot detection etc. This reduces their vulnerability to extended application layer attacks.

Network security

Use modern network security tools like intrusion detection and next-generation firewalls to identify anomalies rapidly. Automatically block malicious traffic closer to the source before it saturates bandwidth.

Keep software updated

Regularly patch and update operating systems, applications, network devices etc. to eliminate vulnerabilities that could be exploited in protocol and application attacks.

Consider failover options

For extremely critical services, failover options like cloud disaster recovery, secondary ISP links, server redundancy can keep services running during prolonged disruptions.

Contact law enforcement

In case of criminal activity, work proactively with law enforcement like the FBI to investigate large-scale attacks and take legal action to shut down attackers.

Conclusion

DDoS attacks can vary in duration from minutes to weeks depending on the attacker’s capabilities and motives as well as the organization’s defenses. By understanding attack types, monitoring traffic, investing in mitigation and improving application and network security, businesses can limit the duration and impact of DDoS disruptions.